Security Flaw In Common Keycard Locks Exploited In String Of Hotel Room Break-Ins

Matthew Allen Cook, who police have charged in one Houston hotel room break-in and suspect in others. Hotel staff say a hacking tool was used to open its keycard locks.

Whoever robbed Janet Wolf’s hotel room did his work discreetly.

When Wolf returned to the Hyatt in Houston’s Galleria district last September and found her Toshiba laptop stolen, there was no sign of a forced door or a picked lock. Suspicions about the housekeeping staff were soon ruled out, too—-Wolf says the hotel management used a device to read the memory of the keycard lock and told her that none of the maids’ keys had been used while she was away.

With the mystery unexplained, the Hyatt tried to give its guests a sense of security by posting a guard in its lobby. But Wolf couldn’t shake the notion that a thief could re-enter her room at any time. "I had dreams about it for many nights," says Wolf, a 66-year-old Dell IT services consultant traveling in Houston for business. "I’d wake up and think I saw someone standing there at my desk."

Two days after the break-in, a letter from hotel management confirmed the answer: The room’s lock hadn’t been picked, and hadn’t been opened with any key. Instead, it had been hacked with a digital tool that effortlessly triggered its opening mechanism in seconds. The burglary, one of a string of similar thefts that hit the Hyatt in September, was a real-world case of a theoretical intrusion technique researchers had warned about months earlier—one that may still be effective on hundreds of thousands or millions of locks protecting hotel rooms around the world.

Last month Houston police arrested 27-year-old Matthew Allen Cook and charged him with theft in a September 7th break-in at the Hyatt House Galleria. Police also listed Cook as a suspect in the theft from Wolf’s room four days later and that of another guest at the hotel. Cook, who has a prior history of arrests for thefts and burglary, was identified when an HP laptop stolen from one of the hotel rooms was found in a local pawn shop, where staff helped police to identify him.

A Houston police spokesperson offered no information about how Cook might have accessed the rooms he allegedly looted. But White Lodging, the Hyatt franchisee that manages the Houston hotel, believes that the rooms were opened using a device that takes advantage of a glaring security vulnerability in keycard locks built by the lock company Onity, specifically a model of lock that appears in at least four million hotel rooms worldwide.

On stage at Black Hat, Brocious showed it was possible to insert the plug of a small device he built with less than $50 in parts into the port at the bottom of any Onity keycard lock, read the digital key that provides access to the opening mechanism of the lock, and open it instantaneously.

In a statement sent to me, a White Lodging spokesperson says the company became aware of the vulnerability in its Onity locks in August, based on reading one of the stories I wrote about Brocious's lock-hacking technique over the summer. But White Lodging says Onity only implemented a fix for that flaw in its locks after the September break-ins at the Houston Hyatt, around two months after I first alerted Onity to Brocious’s work.

Following those September incidents, White Lodging resorted to plugging the port at the bottom of its Onity locks with “epoxy putty,” according to the letter it sent to guests at its Houston location. The hotel company says it's now working with Onity to put a more permanent solution in place, either plugging the locks' ports or replacing their circuit board at every location it manages. "We sincerely regret that these thefts occurred, and hope that measures we have taken satisfy your concerns," reads the letter to guests from White Lodging vice president Thomas Riegelman.

But even Onity’s official response, late as it may be, has left something to be desired. Rather than pay for the full fix itself, which requires a new circuit board for every affected lock, Onity has asked its hotel customers to cover the cost of those hardware replacements. Its free alternative involves merely blocking the port on the bottom of the lock instead with a plastic plug and changing the screws on the locks to a more obscure model to make it harder to open the locks’ cases and remove the plugs.

Forcing the customer to pay for anything beyond a band-aid-style fix may mean the flaw will remain unpatched in many cases, warns Brocious. "Given that it won't be a low cost endeavour, it's not hard to imagine that many hotels will choose not to properly fix the issues, leaving customers in danger," he wrote in a blog post in August. "If such a significant issue were to exist in a car, customers would likely expect a complete recall at the expense of the manufacturer...I can't help but feel that Onity has the same responsibility to their customers, and to customers staying in hotels protected by Onity locks."

Meanwhile, the Houston Hyatt may not be the only site hit with the Onity hack. An alert published by the insurance firm Petra Risk Solutions in October claimed that “several” hotels in Texas have had their locks opened with Brocious' technique. Todd Seiders, a former Marriott security director who now works as director of risk management at Petra, says he spoke with the general manager of one of those hotels, who knew of at least three Texas hotels affected in total, though Seiders declined to name them.

It's not clear if suspects have been arrested in those cases. In a phone interview, Cook's lawyer Charles Thompson declined to speak about the case or make Cook available for comment. “We will vigorously defend these charges, and all the facts will be available after the trial,” Thompson said.

When I first wrote about Brocious’s technique in July, his lock-hacking tool seemed to be unreliable: In tests we conducted at three New York hotels, he was only able to open one out of three rooms, and only after a few minutes of tweaking his device.

As the technique spreads, hotels with Onity locks need to either shell out for Onity's circuit board fix or at least block access to their locks' ports, says Todd Seiders of Petra Risk Solutions--he estimates that more than 80% of his customers have implemented a fix since August, but says that many more hotels around the world may not have been so careful.

"We’re expecting incidents in which these devices are used to explode nationally," says Seiders. "As crooks find success with it, they’re going to go back to the Internet and say 'hey, it works. I was able to break into ten rooms.' And then others build it and try it. We’re going to get hit hard over the next year."

All of which raises the question of whether Brocious should have ever brought his findings to light. Brocious, after all, didn't alert Onity to its security flaw before his presentation at Black Hat (though I did) and even licensed his technique for $20,000 to the Locksmith Training Institute, which trains law enforcement and others, more than a year before he made it public.

Brocious has countered that Onity's security bug is so simple it may have already been discovered by other hackers who used it in secret. And he says hotels needed to be made aware of the locks' flaws so they could switch to a more secure model. "I see no path to mitigate this from Onity’s side," he told me in July. "Hotels need to come up with a plan to move to more secure locks."

As for Janet Wolf, an actual victim of the Houston hotel thefts, she blames the Hyatt, not Onity. "If they're vulnerable to these hackers and they knew this was a problem, to me that's their fault," she says.

And would she rather that Onity's security flaw had never been publicized in the first place?

"No," she says. "It should be made public so that the hotels can fix it. If people are vulnerable and there's a fix out there, they need to know."

Correction: A previous version of this story misstated Janet Wolf's age. She's 66 years old.